Purpose

The purpose of this document is to clearly define roles and responsibilities that are essential to the implementation of the University’s Information Security Policy.

Scope

These Roles and Responsibilities apply to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data.

Maintenance

These Roles and Responsibilities will be reviewed by the University’s Information Security Office every 5 years or as deemed appropriate based on changes in technology or regulatory requirements.

Definitions

Agent, for the purpose of these Roles and Responsibilities, is defined as any third-party that has been contracted by the University to provide a set of services and who stores, processes or transmits Institutional Data as part of those services.

Executive Steering Committee on Computing (“ESCC”) is a committee appointed by the Provost. Members include the Provost, Vice Provost for Computing and Chief Information Officer, Vice President and General Counsel, Vice President and Chief Financial Officer, Vice President for Campus Affairs, Vice President for University Advancement, Vice President for Research, two academic deans appointed by the Provost, a member appointed by the Administrative Leadership Group and the Executive Director of Computing Services.

Information System is defined as any electronic system that stores, processes, or transmits information.

Roles and Responsibilities

The University's Information Security Policy states that, “Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities, as defined in documentation approved by the ESCC and maintained by the Information Security Office.” These roles and responsibilities are defined as follows.

Executive Steering Committee on Computing

In 2008, the President’s Council approved Carnegie Mellon’s Information Security Policy and, by doing so, established the ESCC’s authority to oversee its implementation. Specific oversight responsibilities related to implementation of Carnegie Mellon’s Information Security Policy include the following:

The Director of Information Security is a senior-level employee of the University who oversees the University’s information security program. Responsibilities of the Director of Information Security include the following:

A Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. Responsibilities of a Data Steward include the following:

a.

Assigning an appropriate classification to Institutional Data.

All Institutional Data should be classified based on its sensitivity, value and criticality to the University. The University has adopted three primary classifications: public, private and restricted. See the Guidelines for Data Classification for more information.

b.

Assigning day-to-day administrative and operational responsibilities for Institutional Data to one or more Data Custodians.

Data Stewards may assign administrative and operational responsibility to specific employees or groups of employees. A Data Steward could also serve as a Data Custodian. In some situations, multiple groups will share Data Custodian responsibilities. If multiple groups share responsibilities, the Data Steward should understand what functions are performed by what group.

While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Steward’s responsibility to review and approve these standards and procedures. A Data Steward should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process. A Data Steward should also consider his or her relationship with the Data Custodian(s). For example, different review and approval processes may be appropriate based on the reporting relationship of the Data Custodian(s).

d.

Determining the appropriate criteria for obtaining access to Institutional Data.

A Data Steward is accountable for who has access to Institutional Data. This does not imply that a Data Steward is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a Data Custodian. A Data Steward may decide to review and authorize each access request individually or a Data Steward may define a set of rules that determine who is eligible for access based on business function, support role, etc. For example, a simple rule may be that all students are permitted access to their own transcripts or all staff members are permitted access to their own health benefits information. These rules should be documented in a manner that allows little or no room for interpretation by a Data Custodian.

e.

Ensuring that Data Custodians implement reasonable and appropriate security controls to protect the confidentiality, integrity and availability of Institutional Data.

The Information Security Office has published guidance on implementing reasonable and appropriate security controls based on three classifications of data: public, private and restricted. See the Guidelines for Data Classification and the Guidelines for Data Protection for more information. Data Steward will often have their own security requirements specified in contractual language and/or based on various industry standards. Data Stewards should be familiar with their own unique requirements and ensure Data Custodians are also aware of and can demonstrate compliance with these requirements. The Information Security Office can assist with mapping controls identified in the Guidelines for Data Protection to controls mandated by contract(s) or industry standards.

f.

Understanding and approving how Institutional Data is stored, processed and transmitted by the University and by third-party Agents of the University.

In order to ensure reasonable and appropriate security controls are implemented, a Data Steward must understand how data is stored, processed and transmitted. This can be accomplished through review of data flow documentation maintained by a Data Custodian. In situations where Institutional Data is being managed by a third-party, the contract or service level agreement should require documentation of how data is or will be stored, processed and transmitted.

g.

Defining risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity and availability of Institutional Data.

Information security requires a balance between security, usability and available resources. Risk management plays an important role in establishing this balance. Understanding what classifications of data are being stored, processed and transmitted will allow Data Stewards to better assess risks. Understanding legal obligations and the cost of non-compliance will also play a role in this decision making. Both the Information Security Office and the Office of General Counsel can assist Data Stewards in understanding risks and weighing options related to data protection.

h.

Understanding how Institutional Data is governed by University policies, state and federal regulations, contracts and other legal binding agreements.

Data Stewards should understand whether or not any University policies govern their Institutional Data. For example, the Information Security Policy governs the protection of all Institutional Data. The Policy on Student Privacy Rights specifically addresses the privacy of student information. Other policies exist to help govern financial information, health information, etc. Visit the University’s policy website for a comprehensive list of University policies. Similarly, Data Stewards are responsible for having a general understanding of legal and contractual obligations surrounding Institutional Data. For example, the Family Educational Rights and Privacy Act (“FERPA”) dictates requirements related to the handling of student information. The Office of General Counsel can assist Data Stewards in gaining a better understanding of legal obligations.

A Data Custodian is an employee of the University who has administrative and/or operational responsibility over Institutional Data. In many cases, there will be multiple Data Custodians. An enterprise application may have teams of Data Custodians, each responsible for varying functions. A Data Custodian is responsible for the following:

a.

Understanding and reporting on how Institutional Data is stored, processed and transmitted by the University and by third-party Agents of the University.

Understanding and documenting how Institutional Data is being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Steward.

b.

Implementing appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of Institutional Data.

The Information Security Office has published guidance on implementing reasonable and appropriate security controls for three classifications of data: public, private and restricted. See the Guidelines for Data Classification and the Guidelines for Data Protection for more information. Contractual obligations, regulatory requirements and industry standards also play in important role in implementing appropriate safeguards. Data Custodians should work with Data Stewards to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Steward.

Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that Institutional Data is handled in a consistent manner. This will also help ensure that safeguards are being effectively leveraged.

d.

Provisioning and deprovisioning access to Institutional Data as authorized by the Data Steward.

Data Custodians are responsible for provisioning and deprovisioning access based on criteria established by the appropriate Data Steward. As specified above, standard procedures for provisioning and deprovisioning access should be documented and made available to the appropriate Data Steward.

e.

Understanding and reporting on security risks and how they impact the confidentiality, integrity and availability of Institutional Data.

Data Custodians should have a thorough understanding of security risks impacting their Institutional Data. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching a vulnerability in a system or application are both examples of security risks. Security risks should be documented and reviewed with the appropriate Data Steward so that he or she can determine whether greater resources need to be devoted to mitigating these risks. This Information Security Office can assist Data Custodians with gaining a better understanding of their security risks.

For the purpose of information security, a User is any employee, contractor or third-party Agent of the University who is authorized to access University Information Systems and/or Institutional Data. A User is responsible for the following:

a.

Adhering to policies, guidelines and procedures pertaining to the protection of Institutional Data.

The Information Security Office publishes various policies, guidelines and procedures related to the protection of Institutional Data and Information Systems. They can be found on the Information Security Office website. Business units and/or Data Stewards may also publish their own unique guidelines and procedures. Information on requirements unique to your business unit or a system you have access to can be found by talking to your manager or system administrator.

b.

Reporting actual or suspected vulnerabilities in the confidentiality, integrity or availability of Institutional Data to a manager or the Information Security Office.

During the course of day-to-day operations, if a User comes across a situation where he or she feels the security of Institutional Data might be at risk, it should be reported to the Information Security Office. For example, if a User comes across sensitive information on a website that he or she feels shouldn’t be accessible, that situation should be reported to the Information Security Office. Additional notifications may be appropriate based on procedures unique to a business unit or defined by a Data Steward. It may be appropriate to notify a local security point of contact that will in turn coordinate with the Information Security Office.

c.

Reporting actual or suspected breaches in the confidentiality, integrity or availability of Institutional Data to the Information Security Office.

Reporting a security breach goes hand in hand with reporting vulnerabilities. See the Procedure for Responding to a Compromised Computer for more information on what constitutes a security breach and for what steps to take if you suspect a security breach. Once again, it may be appropriate to notify a local security point of contact that will in turn coordinate with the Information Security Office.

Restructured document layout and added description for each responsibilities.

0.4

03/27/2009

Doug Markiewicz

Made various typographical and grammatical adjustments based on feedback provided by the Advisory Committee and the Information Security Office. No significant changes were made to underlying ideas.

0.5

04/07/2009

Doug Markiewicz

Made changes to (c) and (d) of the Data Steward responsibilities, (b) and (e) of the Data Custodian responsibilities and (a), (b) and (c) of the User responsibilities. These changes were made to the explanations, not the actually responsibilities.

0.6

09/09/2009

Doug Markiewicz

Inserted roles and responsibilities for the Executive Steering Committee on Computing.